Virtual Token Leaves No Footprint

September 2002

By Henry S. Kenyon

Method offers security without additional equipment costs.

A recently developed identification authentication system permits personnel to receive single-use passwords via wireless devices, allowing users who are traveling or at remote sites to access their networks. The technology is compatible with a variety of equipment that supports text messaging such as cellular telephones, pagers, personal digital assistants and laptop computers.

With wireless markets growing rapidly, organizations are attempting to meet the needs of highly mobile staff. Security presents a challenge in these circumstances because employees must either be issued an unchanging password or rely on devices such as tokens to randomly generate entry codes. The cost of issuing large numbers of tokens or installing the appropriate hardware into wireless devices is prohibitive for many public and private sector entities.

One solution to this dilemma is to implement a system that does not require additional hardware. Because it lacks a “footprint,” installation costs and operational maintenance are minimal. One such offering is MobilePass, an authentication tool developed by Secure Computing Corporation, San José, California.

MobilePass functions like a token authentication system but without physical tokens, William Leichter, Secure’s director of product marketing, explains. Noting that the best authentication has multiple facets, he cites the example of an automated-teller-machine card, which requires both a physical device and a personal identification number (PIN).

The Secure Computing software assigns a randomly generated single-use password to users every time they attempt to log on the network. Residing on a server, the program generates a password that is transmitted as a text message to the user’s wireless device—a cellular telephone, personal digital assistant (PDA) or laptop computer.

“When I log on the server, I identify myself, and it generates that one-time code. But instead of waiting for me to enter it on my token, it automatically sends it out as a text message to my phone,” he explains. The software also has plug-ins that enable it to operate with short message service (SMS) devices. The code is transmitted via a second channel to the user’s wireless device, where it and a PIN are entered for system access. The one-use codes offer a security advantage because the passwords are constantly changing. If the password is intercepted, it is only useful once, and only if the interlopers have that specific employee’s PIN number.

Because the password is sent directly to a wireless device, purchasing additional hardware or software is not required. This allows firms and government agencies to protect a variety of applications such as Web access, virtual private networks and network log-on using two-factor authentication.

MobilePass is a component of Secure Computing’s SafeWord PremierAccess server-based authentication software (SIGNAL, January, page 49). Leichter does not see it as a separate spin-off product because customers need the PremierAccess software to provide the authentication capability and to set network-user policies.

Some token users also are interested in MobilePass as a backup system. Leichter notes that token vendors never really have addressed the issue of how an employee can log on if he or she forgets their token.

As a backup function, Secure Computing provides a mechanism that permits token access for a day. A user can go to the company’s enrollment center, enter some personal information such as a birthday or mother’s maiden name as identification and receive a password for 24 hours. The service eliminates the need to issue a fixed password for a single day’s use, he says.

Leichter maintains that token software is many times stronger than a single password. Because the password is sent to users via a different method before they log on a Web site, it is extremely difficult to intercept the code and break into the system.

How customers implement the system and what protocols they use also have a major effect on security. Leichter believes that SMS is somewhat more secure than an e-mail-based solution, explaining that some providers such as AT&T now permit clients to broadcast text messages directly through their secure networks without any intermediaries. Commercial e-mail messages often must move through various points in the Internet before they reach their destination, making them susceptible to interception.

Another issue affecting wireless devices is service availability. One downside to text messaging is that network problems could delay messages up to half an hour before they reach a user, instead of the usual five to 10 seconds. “Now if you are using this [MobilePass] as a backup system for a token, that’s fine, even if you wait a couple of minutes, it’s better than going home to get it,” he says.

Leichter adds that text-messaging systems such as SMS currently are more reliable in Europe, where they are very popular, but that service is rapidly improving in North America. SMS primarily operates on the global system for mobile (GSM) protocol, which is the primary European wireless standard. It functions like a pager system, permitting users to send text messages of up to 160 characters via their cellular telephones. Conversely, U.S. customers can receive e-mail through their cellular telephones with less difficulty than in Europe. Secure Computing is working with SMS providers in Europe and Asia to correct these issues, he says.

The system runs on a number of wireless protocols such as wireless application protocol, third-generation wireless, GSM or equipment based on the 802.11 standard, and toolkits are available to configure the software for a variety of carriers. It also allows users with PDAs to access protected Web content and receive their passwords on the same device. The password is transmitted via a separate channel to the PDA; however, this function depends on the device being able to support different channels and protocols, he cautions.

Although MobilePass is not as secure as a stand-alone token device for network access, it is more robust than a fixed password. A major feature of the company’s products is that they can support a range of authenticator levels, allowing customers to set their own user access thresholds. While Leichter does not see any of his firm’s customers doing away with physical tokens in favor of the new product, he believes they view the system as a way to provide identification authentication to large groups of personnel.

A number of enterprises also are seeking solutions for customer use. For employee remote access, many organizations probably will continue to use tokens or smart cards; however, Leichter observes that outside partners and customers also may be permitted to access commercial extranets through the virtual system.

Secure Computing also is developing a subscription model for MobilePass. This is an important step because it will access a larger end-user market and provide personnel with an easy way to sign onto the service for a monthly fee or add it into an Internet service they already are using. The company is discussing this possibility with service providers.

Leichter views the wireless industry as a major market for authentication systems. “We see the need growing rapidly. People are recognizing that passwords are not secure enough for many things and they are too difficult to use and too hard to remember—especially if you change them,” he says.

The health industry is one area where MobilePass could prove to be a useful tool. Passage of the Health Insurance Portability and Accountability Act of 1996, which requires increased levels of privacy for individual medical records, has heightened industry interest in network security. One advantage of an equipment-free system such as MobilePass is that doctors do not have to carry an additional device such as a token or smart card. However, Leichter notes that most doctors carry pagers, and hospitals have reliable pager services.

Occasional users represent another area of interest, for example, individuals or organizations that make only a monthly wire transfer to a bank. Because of the infrequency, a bank or the user will not invest in a separate security device, so the software is a perfect fit for these transactions, Leichter observes.

MobilePass originated from European requirements for mobile messaging systems to meet the growing appetite for cellular-telephone-based text messaging. European service providers approached Secure Computing for a means to deliver passwords to potentially millions of users through their cellular telephones. But the providers did not want to build the authentication engine necessary for this task so the system was based on the PremierAccess authentication system. Leichter says that the firm has several European and Asian partners ready to roll out MobilePass in their respective markets.

Featured Blog

U.S. Secretary of Commerce Penny Pritzker has announced the first 26 recipients of the 2014 Regional Innovation Strategies program grants as part of a new initiative designed to advance innovation and capacity-building activities across the country.